EP1504568A1 - An arrangement and a method for directing geographically dispersed units - Google Patents

An arrangement and a method for directing geographically dispersed units

Info

Publication number
EP1504568A1
EP1504568A1 EP03723586A EP03723586A EP1504568A1 EP 1504568 A1 EP1504568 A1 EP 1504568A1 EP 03723586 A EP03723586 A EP 03723586A EP 03723586 A EP03723586 A EP 03723586A EP 1504568 A1 EP1504568 A1 EP 1504568A1
Authority
EP
European Patent Office
Prior art keywords
units
arrangement
communication system
service platform
direct
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03723586A
Other languages
German (de)
English (en)
French (fr)
Inventor
Nils-Göran MAGNUSSON
Niclas Klack
Stefan Johansson
Urban Modig
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telia AB
Original Assignee
Telia AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia AB filed Critical Telia AB
Publication of EP1504568A1 publication Critical patent/EP1504568A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention concerns, according to a first aspect, an arrangement for a wired communication system for directing geographically dispersed units to the correct resource on a service platform.
  • the present invention concerns, according to a second aspect, a method for a wired communication system for directing by means of an arrangement geographically dispersed units to the correct resource on a service platform.
  • the present invention concerns, according to a third aspect, at least one computer software product for directing geographically dispersed units to the correct resource on a service platform.
  • a problem of verification arises when different units attempt to gain access to a group server.
  • a secure method for identifying these units is required, and a method of guiding the authorised units to the service platform on the group server to which they have access.
  • a user or a unit must currently log in in order to communicate with the group server.
  • the user or unit making the request for access must have a public IP address.
  • VLAN virtual local network
  • the document WO-01/31843-A2 describes a connection method with authentication and access control together with the management of debiting/accounting.
  • the user or unit that seeks to be connected is termed "the source” in the document.
  • Several attributes are used in order to identify the source, such as MAC address, user name, userid, password, VLAN-tag and location. If a user has been identified as a source, different users can have different authorisations, even though they use the same computer. If a computer has been identified as a source, authorisation that is associated with the MAC address is given.
  • Authentication and access control of the source are carried out with the aid of "source profiles" that are stored in a database in a gateway.
  • the source profile also contains information about an account. Once a source has passed authentication and access control, redirection to a special portal page may be carried out.
  • the document WO-A2-01/31886 is related to the document WO-A2-01/31843 and describes redirection to a special portal page based on a number of attributes.
  • the connection procedure with authentication and access control is managed by a gateway.
  • the document WO-A2-01/31808 is related to the documents described above and demonstrates identification based on location or MAC address.
  • the document WO-A1 -01/76294 demonstrates a method and a system for creating individual service platforms.
  • a service platform is created for each so-called "client structure" that has at least one user.
  • One user can be connected to several client structures. The user can give varying authorisation to his or her own client structure to other users.
  • a local gateway detects the installation of a local node and informs the access supplier, which presents different services for the new node.
  • Local nodes can, for example, communicate using LonWorks.
  • VLAN management server and a "remote access server” are connected to a VLAN. Both of these have a table that indicates the location of terminals. The table makes it possible for the terminals to connect to the home network, independently of the particular network in which they are located. The terminals are identified by their MAC address.
  • an arrangement for a wired communication system in order to direct geographically dispersed units to the correct resource on a service platform.
  • the arrangement comprises a group server and an IP access node connected to the group server to which said units are connected via the communication system.
  • the IP access node comprises information about said units, which information is collected regularly by the server.
  • the group server directs the unit to the correct sen/ice platform, arranged on the group server, based on a request for resources received from the unit and based on said information.
  • an arrangement is achieved for a wired communication system for the direction of geographically dispersed units to the correct resource on a service platform.
  • the arrangement comprises an IP access node, which is connected via the communication system to said units, and a group server that is included in the IP access node.
  • the IP access node comprises information about said units, which information is collected regularly by the group server.
  • the group server directs the unit to the correct service platform arranged on said group server based on a request for resources received from the unit and based on said information.
  • the group server comprises a server comprising said service platforms, and a device connected to the server that manages the requests for resources received from the units.
  • the arrangement further comprises a memory in which said information is stored in the form of tables.
  • the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
  • One advantage is achieved in this context if the units are constituted by terminals, users or equipment, or by a combination of these.
  • One advantage is achieved in this context if said information is regularly synchronised between the group server and the IP access node.
  • the IP access node comprises an authorisation system in order to determine whether a unit is authorised, and a router that is connected to the authorisation system.
  • the authorisation system comprises an AAA server connected to the said router and a database, connected to the AAA server, comprising the identities of the units.
  • the IP access node furthermore comprises a policy server connected to the database and to said router, which policy server configures said router in accordance with the policy for a specified account.
  • a method is achieved for a wired communication system in order to direct, by means of an arrangement, geographically dispersed units to the correct resource on a service platform.
  • the method comprises the following steps:
  • One advantage is achieved in this context if the step of presenting an account and a password related to the unit is carried out through the IP access node automatically identifying and authorising the unit when it is connected through the identity of the unit having been recorded in a database that is part of the IP access node.
  • an advantage is achieved if the step of presenting an account and a password related to the unit is carried out through the input of the said account and password by the user of the unit.
  • the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
  • the units are constituted by terminals. users or equipment, or by a combination of these.
  • the IP access node comprises a router and a policy server connected to the said router, whereby the method furthermore comprises the step:
  • At least one computer software product is achieved that can be directly loaded into the internal memory of at least one digital computer.
  • the computer software product or products comprise or comprises sections of program code for carrying out the steps according to the method when at least one of the said products is run on at least one said computer.
  • a very flexible solution to the problem of verifying platform access in a secure manner is achieved by this at least one computer software product.
  • Figure 1 is a block diagram that shows a first embodiment of the arrangement according to the present invention
  • Figure 2 shows a logical description of the architecture comprising the arrangement shown in Figure 1 ,
  • FIG. 3 shows a more detailed diagram of the network architecture shown in
  • Figure 4 shows a flow chart of a method in a wired communication system for directing, by means of an arrangement, geographically dispersed units to the correct resource on a service platform according to the present invention
  • Figure 5 shows a schematic diagram of some computer software products according to the present invention.
  • Figure 1 shows a block diagram of a first embodiment of an arrangement (10) according to the present invention.
  • the arrangement (10) connects to n geographically dispersed units (14-), ..., 14 n ) via a wired communication system (12).
  • the wired communication system (12) is shown only schematically in Figure 1.
  • the arrangement (10) comprises a group server (16) and an IP access node (18) connected to the group server (16) through which the communication system (12) is connected to the said units (14 ⁇ 14 n ).
  • the various units (14 ⁇ 14 n ) can, for example, be located in different apartments with different households.
  • the IP access node (18) comprises information about the said units (14-i, ..., 14 n ), which information is regularly collected by the group server (16).
  • the group server (16) When the group server (16) receives a request for resources from a unit 14 x , where 1 ⁇ x ⁇ n, it directs the unit 14 x to the correct sen/ice platform arranged on the group server (16) based on the request for resources and based on the said information.
  • the group server (16) In another embodiment (not shown in the drawing) of the arrangement (10) the group server (16) is part of the IP access node (18). This arrangement (10) functions otherwise in the same manner as the arrangement (10) shown in Figure 1.
  • the group server (16) comprises a server (22) comprising said service platforms, and a device (20) connected to the server (22) that manages the requests for resources received from the units (14 ⁇ , ..., 14 n ).
  • FIG. 1 The block diagram shown in Figure 1 really concerns mainly the logical architecture.
  • the household for example, is not connected to the IP access node (18) by a separate cable in the physical architecture.
  • Figure 1 does show how the household will experience the situation. This is also true of the three different cables that connect the IP access node (18) to the group server (16). These are three different cables from the point of view of the household, but only one cable in the physical architecture.
  • the IP access node (18) consists of an authorisation system and a router (see also Figure 2). All information about the households (VLAN), users (ACCOUNT), units (MAC addresses) and IP addresses are located here.
  • Table 1 gives an example of the information that is stored in the IP access node (18). There are four different accounts in this table, each of them having a different IP address, MAC address and VLAN character string.
  • Table 1 shows, for example, that a user from VLAN 1 (unit 14-i) has logged on to the account Stefan@mandeln.
  • the unit that the user has logged in on (probably his or her PC) has the MAC address 00-A0-C9-E8-5F-64, and it was given the following IP address: 131.131.131.10.
  • this request will then be sent to the IP address 192.168.30.31. This means that this request will be identified against the table "Account/IP address”.
  • the server (22) in the group server (16) will identify all incoming requests on the IP address 192.168.30.31 using the table "Account/IP address”.
  • the architecture shown in Figure 1 is not exclusively for use in apartments, and a house or a shop is also possible. Each apartment has been assigned a unique VLAN number. This number is used to verify from which of the apartments the traffic is generated. It is also used to label traffic that will be sent to a particular household.
  • This table will be used if the requests are sent to the IP number 192.168.30.31.
  • the different "User Accounts” and “Directed to Platform IP”s will be configured statically. It is only the IP address for this account that will be dynamic, since users will not receive the same IP address when they log in.
  • Table 2 shows an example of the table "Account/IP address”.
  • the user account Stefan@mandeln with IP address 131.131.131.10 will, in this case, be directed to the platform 192.168.10.1.
  • This table will be used if the requests are sent to the IP number 192.168.30.32.
  • the different "MAC addresses” and “Directed to Platform IP”s will be static. It is only the “IP address” that will be dynamic, since users will not always receive the same IP address when they log in.
  • Table 3 shows that the MAC address 00-A0-C9-E8-5F-64 and the IP address 131.131.131.10 will, be directed to the platform of apartment 1 (unit 14-t).
  • This table will be used if the requests are sent to the IP number 192.168.30.33. Everything in this table will be statically configured, since it has been predetermined which platform a household and its subnet are allowed to access. As long as the request arrives with the correct VLAN character string and source IP, direction of this request is possible within this VLAN.
  • Table 4 shows that only VLAN1 will be directed to the platform for apartment 1.
  • a domain name server is located in the IP access node (18), see Figure 2, that will translate a name to an IP address and vice versa. This will make it possible for users to user names instead of IP numbers when they select the identification of their requests.
  • VLAN 1 IP address: 131.131.131.10
  • IP address 131.131.131.20
  • the installed platforms are shown in Table 5. Each user has access to his or her own home, his or her personal area and the common area.
  • Example 1 PC logging in from the home.
  • Example 2 PC logging in from the home.
  • Example 3 PC logging in from the home. User Niclas logs into the account Niclas@mandeln and his PC receives the IP address 131.131.131.20.
  • the present invention uses information that is present in the IP access node (18). Examples of such information are given in Table 1. This information is used to create tables, whereby these tables will form the base for directing platform requests to the correct platform.
  • the invention makes possible the following:
  • FIG. 2 shows a logical description of the architecture of the arrangement (10) shown in Figure 1. Similar components in Figure 1 and in Figure 2 have been given the same reference numbers.
  • the IP access node (18) comprises an authorisation system in order to determine whether a unit 14 ⁇ , ..., 14 n is authorised, and a router (24) connected to the authorisation system.
  • the authorisation system comprises an AAA server (26) ("AAA” is an abbreviation of "Authentication, Authorisation and Accounting services”. This is a system used by a service provider to manage these functions related to customers.) connected to the said router (24), and a database (28), comprising the identities of the units 14- ⁇ , ..., 14 n , connected to the AAA server (26).
  • the IP access node (18) further comprises a policy server (30) that is connected to the database (28) and the said router (24) and that configures said router (24) in accordance with a policy for the specified account.
  • a VLAN is used to prevent unauthorised communication between households. It is a local network in Figure 2, a LAN, (Ethernet) to a block of flats and two houses connected with ADSL.
  • FIG. 3 shows a more detailed diagram of the network architecture shown in
  • Figure 4 shows a flow diagram for a method in a wired communication system in order to direct, by means of an arrangement (see, for example, Figure 1), geographically dispersed units to the correct resource on a service platform according to the present invention.
  • the method commences at block (70).
  • the method then continues, at block (72), with the step: the reception of a token IP address by the unit 14 x , where 1 ⁇ x ⁇ n, when it is connected.
  • the method then continues, at block (74), with the step: the presentation of an account and a password related to the unit 14 x .
  • the method then continues, at block (76), with the question: "Is the unit 14 x authorised?".
  • the unit 14 x is denied access to the platforms if the answer to this question is negative, and the steps according to the blocks (72)-(76) may be repeated for a fresh attempt.
  • the method continues, on the other hand, if the answer is positive, with the block (78) with the step: the regular collection by a group server (16) that is part of the arrangement (10) of information concerning the units (14 ⁇ , ..., 14 n ) from an IP access node (18) that is connected via the communication system (12) to the units 14 ⁇ 14 n .
  • the method then continues, at block (80), with the step: the reception by the group server (16) of a request for resources from a unit 14 x .
  • the method then continues, at block (82), with the step: the direction by the group server (16), based of the request for resources and based on said information, of the unit 14 x to the correct service platform arranged on the group server (16).
  • the method is then terminated at block (84).
  • the step of presenting a password related to the unit 14 x is carried out through the IP access node (18) automatically identifying and authorising the unit 14 x when it is connected through the recording of the identities of the units 14- 1 14 n in a database (28) that is part of the IP access node (18).
  • This can be used when there are no persons in the vicinity and the unit, for example an IP telephone adapter, cannot itself achieve the authorisation process.
  • this process takes places through a user of the unit 14 x inputting said account and said password.
  • the method also comprises the step: the reception by the unit 14 x of a usable IP address.
  • the method also comprises the step: the regular synchronisation of the information between the group server (16) and the IP access node (18).
  • the IP access node (18) comprises a router (24) and a policy server (30) connected to the said router (24), whereby the method also comprises the step: the configuration by the policy server (30) of said router (24) in accordance with the policy for the specified account.
  • Figure 5 shows a schematic diagram of some computer software products according to the present invention.
  • Figure 5 shows n digital computers 100 ⁇ , ..., 100 n , and n different computer software products 102 ⁇ , ..., 102 n , that can be loaded directly into the internal memory of the said computers 100 ⁇ , ..., 100 n .
  • Each 102 ⁇ 102 n comprises sections of software code for carrying out some or all of the steps according to Figure 4 when the product or products 102 ⁇ , ..., 102 n is or are run on the computers 100-t, ..., 100 n .
  • the computer software products 102 ⁇ , .... 102 n can be in the form of, for example, diskettes, RAM disks, magnetic tape, optomagnetic disks, or some other suitable products.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP03723586A 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units Withdrawn EP1504568A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SE0201362 2002-05-06
SE0201362A SE524173C2 (sv) 2002-05-06 2002-05-06 Anordning och förfarande för att dirigera enheter till korrekt resurs på en tjänsteplattform
PCT/SE2003/000716 WO2003094441A1 (en) 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units

Publications (1)

Publication Number Publication Date
EP1504568A1 true EP1504568A1 (en) 2005-02-09

Family

ID=20287778

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03723586A Withdrawn EP1504568A1 (en) 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units

Country Status (5)

Country Link
EP (1) EP1504568A1 (sv)
AU (1) AU2003230515A1 (sv)
NO (1) NO20044376L (sv)
SE (1) SE524173C2 (sv)
WO (1) WO2003094441A1 (sv)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL149223A0 (en) * 1999-10-22 2002-11-10 Nomadix Inc Systems and methods for providing dynamic network authorization, authentication and accounting
AU2001246985A1 (en) * 2000-04-03 2001-10-15 Targian Ab User information retrieving system
SE0001868D0 (sv) * 2000-05-19 2000-05-19 Telia Ab Tjänstehantering i hemmiljö

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03094441A1 *

Also Published As

Publication number Publication date
SE0201362L (sv) 2003-11-07
SE0201362D0 (sv) 2002-05-06
SE524173C2 (sv) 2004-07-06
NO20044376L (no) 2005-01-13
WO2003094441A1 (en) 2003-11-13
AU2003230515A1 (en) 2003-11-17

Similar Documents

Publication Publication Date Title
US5944794A (en) User identification data management scheme for networking computer systems using wide area network
US20020083342A1 (en) Systems, methods and computer program products for accessing devices on private networks via clients on a public network
KR100744213B1 (ko) 자동 접속시스템
US6442588B1 (en) Method of administering a dynamic filtering firewall
US8713641B1 (en) Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US8041815B2 (en) Systems and methods for managing network connectivity for mobile users
US8627410B2 (en) Dynamic radius
US20060031436A1 (en) Systems and methods for multi-level gateway provisioning based on a device's location
CN101668017B (zh) 一种认证方法和设备
JP2004505383A (ja) 分散ネットワーク認証およびアクセス制御用システム
CN101076033B (zh) 存储认证证书的方法和系统
US20100162362A1 (en) Enterprise Management of Public Instant Message Communications
JP2002157180A (ja) インターネットサーバーのアクセス管理およびモニタシステム
US20040095916A1 (en) Web-contents receiving system and apparatus for providing an access point
CN102055816A (zh) 一种通信方法、业务服务器、中间设备、终端及通信系统
RU2387089C2 (ru) Способ предоставления ресурсов с ограниченным доступом
CN112383500B (zh) 一种对涉及投屏设备的访问请求进行控制的方法及系统
US7793352B2 (en) Sharing network access capacities across internet service providers
WO2008030526A2 (en) Systems and methods for obtaining network access
JPH08153072A (ja) 計算機システム及び計算機システム管理方法
KR20120044381A (ko) 신원과 위치 정보가 분리된 네트워크에서 사용자가 icp 웹사이트에 로그인 하는 방법, 시스템 및 로그인 장치
GB2555108A (en) Improvements in and relating to network communications
JP3564117B2 (ja) 無線lan装置
US7430600B2 (en) Method and device for making a portal in a computer system secure
EP1504568A1 (en) An arrangement and a method for directing geographically dispersed units

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20041206

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

RIN1 Information on inventor provided before grant (corrected)

Inventor name: MODIG, URBAN

Inventor name: JOHANSSON, STEFAN

Inventor name: KLACK, NICLAS

Inventor name: MAGNUSSON, NILS-GOERAN

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20061102

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20070313